diff --git a/bash.changes b/bash.changes
index 40bab4ae..7b30a6ac 100644
--- a/bash.changes
+++ b/bash.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Nov 28 11:41:49 UTC 2016 - werner@suse.de
+
+-  Add upstream patch popd-offset-overflow.patch to fix boo#1010845
+   CVE-2016-9401: bash: popd controlled free (Segmentation fault)
+   Remark: this is a simple Segmentation fault, no security risk
+
 -------------------------------------------------------------------
 Thu Nov 17 09:27:21 UTC 2016 - werner@suse.de
 
diff --git a/bash.spec b/bash.spec
index fc0ede2d..ae43cd9a 100644
--- a/bash.spec
+++ b/bash.spec
@@ -92,6 +92,8 @@ Patch27:        readline-6.2-xmalloc.dif
 Patch30:        readline-6.3-destdir.patch
 Patch31:        readline-6.3-rltrace.patch
 Patch40:        bash-4.1-bash.bashrc.dif
+# PATCH-FIX-UPSTREAM boo#1010845 -- CVE-2016-9401: bash: popd controlled free (Segmentation fault)
+Patch41:        popd-offset-overflow.patch
 Patch46:        man2html-no-timestamp.patch
 Patch47:        bash-4.3-perl522.patch
 # PATCH-FIX-SUSE
@@ -300,6 +302,7 @@ done
 #%patch25 -p0 -b .endpw
 %patch31 -p0 -b .tmp
 %patch40 -p0 -b .bashrc
+%patch41 -p0 -b .popd
 %patch46 -p0 -b .notimestamp
 %patch47 -p0 -b .perl522
 %if %{with import_function}
diff --git a/popd-offset-overflow.patch b/popd-offset-overflow.patch
new file mode 100644
index 00000000..4237330e
--- /dev/null
+++ b/popd-offset-overflow.patch
@@ -0,0 +1,27 @@
+*** ../bash-4.4-patched/builtins/pushd.def	2016-01-25 13:31:49.000000000 -0500
+--- builtins/pushd.def	2016-10-28 10:46:49.000000000 -0400
+***************
+*** 366,370 ****
+      }
+  
+!   if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
+      {
+        pushd_error (directory_list_offset, which_word ? which_word : "");
+--- 366,370 ----
+      }
+  
+!   if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
+      {
+        pushd_error (directory_list_offset, which_word ? which_word : "");
+***************
+*** 388,391 ****
+--- 388,396 ----
+  	 of the list into place. */
+        i = (direction == '+') ? directory_list_offset - which : which;
++       if (i < 0 || i > directory_list_offset)
++ 	{
++ 	  pushd_error (directory_list_offset, which_word ? which_word : "");
++ 	  return (EXECUTION_FAILURE);
++ 	}
+        free (pushd_directory_list[i]);
+        directory_list_offset--;